Urgent operational usage of commercial electronic equipment is nothing new. Early in the GWOT, FRS “walkie talkie” equipment was frequently purchased by individual troops or with unit funds to address a shortage of comms at the squad level. Later, theater orders were issued prohibiting their usage due to grievous OPSEC/COMSEC issues and this shortfall was addressed with TPE (theater provided equipment) issue of ICOM and other commercial radio systems.
In a similar vein, Army organizations have procuring commercial hobbyist UAV systems to provide situational awareness and ISR capabilities “on the cheap.” However, such systems introduce a multitude of operational and cyber vulnerabilities. For the most common systems made by DJI, telemetry, audio, video, and locational data is sent back by default to the Chinese manufacturer.
On 2 August, the US Army prohibited the use of DJI drones:
DEPARTMENT OF THE ARMY
OFFICE OF THE DEPUTY CHIEF OF STAFF, G-3/5/7
400 ARMY PENTAGON
WASHINGTON, DC 20310-0400
DAMO-AV
MEMORANDUM FOR RECORD
2 August 2017
SUBJECT: Discontinue Use of Dajiang Innovation (DJI) Corporation Unmmaned Aircraft Systems
1. References:
a. Army Research Laboratory (ARL) report, “DJI UAS Technology Threat and User Vulnerabilities,” dated 25 May 2017 (Classified).
b. Navy memorandum, “Operational Risks with Regards to DJI Family of Products,” dated 24 May 2017.
2. Background: DJI Unmanned Aircraft Systems (UAS) products are the most widely used non-program of record commercial off-the-shelf UAS employed by the Army. The Army Aviation Engineering Directorate has issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets. Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the U.S. Army halt use of all DJI products. This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.
3. Direction: Cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.
4. Point of Contact: Headquarters, Department of the Army G-3/5/7 Aviation Directorate, 703-693-3552
JOSEPH ANDERSON
Lieutenant General, GS
Deputy Chief of Staff, G-3/5/7
Exploitation of data collected by these drones can provide an adversary with a inductive picture of friendly force operations, locations, and tempo. Much like watching surges in pizza deliveries to headquarters buildings at night, an adversary can infer forward operations by spikes in data traffic.
While the technical specifics are beyond the scope and span of SSD, this decision is still quite relevant to our readership.
For further information, check out this article from our peers at SUASnews.
Well, no sh*t. What were they thinking? It has long been feared or postulated that Chinese electronics are trojan horses. Why would a UAS be different?
I have a DJI drone, for personal/hobby use. Now I know how to troll the Chinese directly.
Don’t use this policy as an excuse to use your drone to take video of your junk; you were going to do that regardless.
In addition to the various security issues, there is a common issue between the COTS commercial radios and these UASs – they are using frequency ranges licensed for use by and for civilians under the FCC – which, in turn, is complying with international treaties regarding frequency distributions.
Having US Government agencies using freq ranges set aside for civilian use violates US and international law.